SlideShare a Scribd company logo

APNIC Hackathon IPv4 & IPv6 security & threat comparisons

Download as PPTX, PDF
S
Siena Perry

IPv6 addresses are 128-bit and represented by 8 colon-separated 16-bit segments in hexadecimal format. IPv6 introduces more efficient address representation methods and a standardized interface identifier generation technique using MAC addresses. IPv6 headers are simpler than IPv4 headers and introduce new address types like anycast. Transition from IPv4 to IPv6 requires dual stack support and new security practices as many old IPv4 attacks still apply to IPv6. First hop security features like RA guard help prevent rogue devices and address spoofing. Overall, IPv6 deployment faces challenges around network segmentation, firewall rules, and router configurations.

Internet
Related topics:
Internet Security
1 of 31
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Presentation on IPV4 VS IPV6 SECURITY AND THREAT COMPARISONS
Group Name • Konda Reddy • Suman KC • Farha Diba • Bikram Shrestha • Rajwinder kaur
IPv6 Address Representation  128 bits.  Represented by 8 colon-separated segments.  Each 16-bit segment written in hexadecimal. EXAMPLE: 3ffe:3700:1100:0001:d9e6:0b9d:14c6:45ee
IPv6 Address Compaction Leading zeroes in a 16-bit segment can be compacted Example: fe80:0210:1100:0006:0030:a4ff:000c:0097 Becomes: fe80:210:1100:6:30:a4ff:c:97
IPv6 Address Compaction All zeroes in one or more contiguous 16-bit segments can be represented with a double colon (::) Example: ff02:0000:0000:0000:0000:0000:0000:0001 Becomes: ff02::1 But…
IPv6 Address Compaction Double colons can only be used once Example: 2001:0000:0000:0013:0000:0000:0b0c:3701 Can be: 2001::13:0:0:b0c:3701 Or: 2001:0:0:13::b0c:3701 But not: 2001::13::b0c:3701
IPv6 Address Types Unicast  Identifies a single interface  Packet sent to a unicast address is delivered to the interface identified by that address Multicast  Identifies a set of interfaces  Packet sent to a multicast address is delivered to all interfaces identified by that address Anycast  Identifies a set of interfaces  Packet sent to an anycast address is delivered to the nearest interface identified by that address (as defined by the routing protocol) IPv6 has no broadcast addresses  IPv6 uses "all-nodes" multicast instead (ff01:0:0:0:0:0:1)
Interface ID  Unique to the link  Identifies interface on a specific link  Can be automatically derived - IEEE addresses use MAC-to-EUI-64 conversion - Other addresses use other automatic means  Can be used to form link-local address  Can be used to form global address with stateless autoconfiguration
MAC-to-EUI-64 Conversion  First three octets of MAC becomes Company-ID  Last three octets of MAC becomes Node-ID  0xfffe inserted between Company-ID and Node-ID  Universal/Local-Bit (U/L-bit) is set to 1 for global scope
MAC-to-EUI-64 Conversion Example  MAC Address: 0000:0b0a:2d51  In binary:  00000000 00000000 00001011 00001010 00101101 01010001  Insert fffe between Company-ID and Node-ID  00000000 00000000 00001011 11111111 11111110 00001010 00101101 01010001  Set U/L bit to 1  00000010 00000000 00001011 11111111 11111110 00001010 00101101 01010001  Resulting EUI-64 Address: 0200:0bff:fe0a:2d51
Using the EUI-64 Interface ID EUI-64 Address: 200:bff:fe0a:2d51 Link-Local Address: fe80::200:bff:fe0a:2d51 Global Unicast Address: 3ffe:3700:1100:1:200:bff:fe0a:2d51
IPv4 vs. IPv6 Header Formats
How IPV6 process start from Host  When a host joins the network, it sends an ICMPv6 Neighbor Solicitation (NS) packet to perform Duplicate Address Detection (DAD) for its link-local address.  After the host determines its link-local address is safe to use, it then sends an ICMPv6 Type 133 Router Solicitation (RS) message to attempt to learn details about the network from the local router.  Upon receiving this RS, the router sends out an ICMPv6 type 134 Router Advertisement (RA) message so that the requesting host, and all others on that LAN segment, will have information about the LAN and how they should go about obtaining their global unicast address.  The router also periodically sends out the RA messages, typically every 200 seconds, to make sure all the nodes on the LAN have the current information about the local IPv6 prefix
How RA works / disable RA  The ICMPv6 Router Advertisement (RA) that the router sends to the IPv6 all-nodes link-local multicast group address (FF02::1) will be received and processed by all the nodes on the LAN. The RA contains a variety of valuable information within it, in addition to guidance to the nodes on the LAN about how they will obtain their IPv6 address. The RA contains several bits that tell the node how it should behave:  Address Auto configuration Flag (A flag) indicates if stateless auto-configuration (SLAAC) should be used.  On-Link Flag (L flag) indicates that the prefix is “on-link” and local to this network.  Managed Address Configuration Flag (M flag) indicates that the nodes should use DHCPv6 to determine their interface identifier.  Other Stateful Configuration Flag (O flag) indicates that other information is available to help the node (e.g. DNS server information).
PATHMTU  IPv6 defines a standard mechanism called path MTU discovery that a source node can use to learn the path MTU of a path that a packet is likely to traverse. If any of the packets sent on that path are too large to be forwarded by a node along the path, that node discards the packet and returns an ICMPv6 Packet Too Big message. The source node can then adjust the MTU size to be smaller than that of the node that dropped it and sent the ICMPv6 message, and then retransmit the packet. A source node might receive Packet Too Big messages repeatedly until its packet traverses all nodes along the path successfully.  Initially, the PMTU value for a path is assumed to be the (known) MTU of the first-hop link. When a Packet Too Big message is received, the node determines which path the message applies to based on the contents of the Packet Too Big message. For example, if the destination address is used as the local representation of a path, the destination address from the original packet would be used to determine which path the message applies to  NOTE: Routing header determine the location of the destination address within the original packet.
Typical IPv6 Security Issues Almost identical to IPv4 security issues • First-hop protocol vulnerabilities • Denial-of-Service attacks • User authentication and authorization • Eavesdropping, session hijacking, DNS spoofing • Routing security  Dual stack exposures.(If enabled IPV6 but missed to enforce polices/firewall filters)
IPV6 similarities with IPV4 The majority of vulnerabilities on the Internet today are at the application layer, even ipsec will do nothing to prevent. Rogue devices will be as easy to insert into an IPv6 network as in IPv4 Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4 Flooding attacks are identical between IPv4 and IPv6 IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
Reconnaissance  Default subnets in IPv6 have 2 power 64 addresses ie., 10 Mpps  Today there is no known ping sweep tool for IPv6. Nmap, which supports ping sweeping in v4, elected not to support it in IPv6, most likely for some reasons.  Mostly importantly, public servers needs to be dns reachable.  scanning-based attacks will effectively fail. This protection exists if the attacker has no direct access to the specific subnet and therefore is trying to scan it remotely. If an attacker has local access, then he could use Neighbor Discovery (ND) and ping6 to the link-scope multicast ff02::1 to detect the IEEE-based address of local neighbors, then apply the global prefix to those to simplify its search (of course, a locally connected attacker has many scanning options with IPv4 as well).  By compromising hosts in a network, an attacker can learn new addresses to scan  Transition techniques (see further) derive IPv6 address from IPv4 address
More on reconnaissance  The first category of attack is reconnaissance, which also is generally the first attack executed by an adversary. In this attack the adversary attempts to learn as much as possible about the victim network. This includes both active network methods such as scanning as well as more passive data mining such as through search engines or public documents.  Ping sweeps, port scans, Application and vulnerability scans; Some tools such as Nmap can perform elements of all these scan types at the same time.
FHS: First Hop Security  RA guard use-case  IPv6 device tracking  IPv6 snooping logging  IPv6 source guard  IPv6 snooping  PortACL blocks all ICMPv6 RA from hosts  Fake DHCPv6 Replies  Selectively filter ICMP  Disable RH0 .
RA Guard RA Guard is a feature that allows the operator of a Layer 2 switch to predetermine which switch ports are actually router facing. RA guard can also validate the source of the RA, the prefix list, the preference and any other information carried within it. It can validate the cryptographic credentials when provided (as defined in Secure Neighbor Discovery specification, i.e. SeND) to provide nodes that don’t support SeND with a level of security equivalent to those that do support it. How it help with rogue DHCP :permit RAs only if they have the M and O bits set, and enforce that the subsequent DHCP advertised prefix is within the company's range. Enable logging on the network device for auditing
IPv6 snooping  RA guard / DHCP guard  IPv6 address gleaning  IPv6 ND inspection IPv6 snooping included the guard functions, if you enable IPv6 snooping, you do not need to explicitly configure RA guard / DHCP guard on the same port.  IPv6 address gleaning  Address gleaning learns the IPv6 addresses of devices connected to that link and is a prerequisite for more advanced FHS features like Source-Guard. The learning is done by examining information in the ND and DHCPv6 packets, (in particular the addresses carried in them). However, by default the DHCPv6 server messages are dropped - so in order to glean from DHCPv6 messages the guard policy must be applied on the port connecting the valid DHCPv6 server, that allows the DHCPv6 messages.  The FHS code learns the addresses and installs them into the binding table. Each entry contains the source the address was learned from, the address itself, the MAC address, interface, vlan, priority level, age, state and time left.  IPv6 ND inspection  ND inspection verifies the sanity of the ND messages that pass through the device. It can also enforce limits on the number of the addresses per port. This feature enforces the ND process by ensuring that all parties are stepping through all the correct steps in the ND process. The ND inspection process builds the neighbor binding table.
Fake RA Messages  • Traffic interception • DNS IPv6 address injection (DNS interception) • Denial-of-service attack(bogusprefixes)
Fake DHCPv6 Replies  Intruder responds to DHCPv6 requests • DNS IPv6 addressinjection • Denial-of-service attack Solution should be enabling :DHCPv6 guard
Fake Neighbor Advertisement Messages Intruder responds to ICMPv6 Neighbor Solicitation requests • Trafficinterception • Denial-of-serviceattack  Enable DHCPv6 snooping, ND inspection, SEND
ARP spoofing (V4) = NDP spoofing(V6) Dynamic ARP inspection for IPv6 is available Secure Neighbor Discovery (Cryptographic NDP); IPv6 addresses whose interface identifiers are cryptographically generated. Prevent replay attacks by timestamp and nonce options. IPV6 supports all the features Dot1x,private Vlan ,port security
Attacks(Continuation)  Remote Neighbor Discovery Attacks  How to prevent: Tight ingress ACLs(check the forwarding path order-of- operation)  Control-plane policing(CoPP)  ND cache limits (globally and per-box)  Prefixes longer than /64 (extreme measure, use with care)
DAD Attacks  Effectively disables SLAAC  Might interfere with DHCPv6-based address assignment.  IPv6 Extension Headers All networking gear should drop packets with RH0 by default • Firewalls and ACLs should be able to filter on extension headers Firewalls should limit the number of extension headers • Firewalls/ACLs should be able to drop fragmented headers
More on RH0  The IPv6 Type 0 Routing header is similar in function to the Loose Source and Record Route IP options. The IPv6 Routing header is identified by a Next Header (NH) value of 43 in the immediately preceding header.  Attackers can maliciously use IPv6 Type 0 Routing headers to bypass packet filters (IPv6 access-list policies) or anycast addressing and routing. These headers can also be used to perform reflected denial of service (DoS) attacks, spoofing, double spoofing, and amplification attacks (ping-pong attacks that can cause link saturation and potential performance issues through added CPU processing).
Routing Security with IPv6  Challenges and solutions almost identical to IPv4: • Don’t run routing protocols on customer-facing interfaces • Use IPsec with OSPFv3 • Use MD5 authentication with other routing protocols  best practices:  • Network Ingress Filtering (BCP38) for IPv4 and IPv6 • TTL security (BGP) • Route filters in distance- and path vector protocols
Challenge in implementing V6 in DMZ’s  Normally, servers connected to a network device on single NIC or bond(ACTIVE/STANDBY,ACTIVE/ACTIVE)  Switch connected port might be a access vlan or trunk vlan.  If it is access port , then Tag host interface with new external vlan for V6 communication. TASKS: 1. Configure external vlan on firewall 2. Need to tag new vlan to respective switch and change host port config to trunk 3. configure servers port as trunk and test connectivity. Advantages:  No physical movement of host  Logical configuration  Sysops and Network need to work together to test connectivity  Unblock IPv6 implementation to faster rollout

More Related Content

PDF
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Digicomp Academy AG
 
PDF
Ipv6 cheat sheet
Swarup Hait
 
PPTX
Introduction to IPv6-UoN
Mwendwa Kivuva
 
PDF
Ipv6 cheat sheet
julianlz
 
PPTX
IPv6 - Neighbour Discovery
Heba_a
 
PPT
I Pv6 Nd
Ram Dutt Shukla
 
PPT
internetworking operation
Srinivasa Rao
 
PPT
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Digicomp Academy AG
 
Ipv6 cheat sheet
Swarup Hait
 
Introduction to IPv6-UoN
Mwendwa Kivuva
 
Ipv6 cheat sheet
julianlz
 
IPv6 - Neighbour Discovery
Heba_a
 
I Pv6 Nd
Ram Dutt Shukla
 
internetworking operation
Srinivasa Rao
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 

What's hot (17)

PDF
Ipv6 cheat sheet
balamurugan N
 
PPT
network security
Srinivasa Rao
 
PPTX
Network tunneling techniques
inbroker
 
PPT
IPv6_Quick_Start_Guide
Parthiban Nallathambi
 
PDF
IPv6
edgarjgonzalezg
 
PDF
WIRELESS NETWORK
prakash m
 
TXT
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 
PDF
ECET 465 help Making Decisions/Snaptutorial
pinck2329
 
DOCX
Network interview questions
rajasekar1712
 
PPT
internet applications
Srinivasa Rao
 
PDF
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Wardner Maia
 
PDF
Moushumi Maria (071464056)
mashiur
 
DOCX
Ccna 4 chapter 2 2011 v4
Gabriela Martínez
 
PPT
6.Routing
phanleson
 
PPT
IPV6 Flow Labels
Binan AL Halabi
 
PDF
Computer network (17)
NYversity
 
PDF
About IPv6
Marco Antonio
 
Ipv6 cheat sheet
balamurugan N
 
network security
Srinivasa Rao
 
Network tunneling techniques
inbroker
 
IPv6_Quick_Start_Guide
Parthiban Nallathambi
 
IPv6
edgarjgonzalezg
 
WIRELESS NETWORK
prakash m
 
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 
ECET 465 help Making Decisions/Snaptutorial
pinck2329
 
Network interview questions
rajasekar1712
 
internet applications
Srinivasa Rao
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Wardner Maia
 
Moushumi Maria (071464056)
mashiur
 
Ccna 4 chapter 2 2011 v4
Gabriela Martínez
 
6.Routing
phanleson
 
IPV6 Flow Labels
Binan AL Halabi
 
Computer network (17)
NYversity
 
About IPv6
Marco Antonio
 

Similar to APNIC Hackathon IPv4 & IPv6 security & threat comparisons (20)

PDF
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
EdgeUno
 
PPTX
ipv6 very very very very vvoverview.pptx
eyala75
 
PDF
ipv6_cheat_sheet.pdf
pradeeppotter
 
PPT
IPv6 networking training sduffy v3
Shane Duffy
 
PDF
IPv6 Security Overview by QS Tahmeed, APNIC RCT
Bangladesh Network Operators Group
 
PDF
Tech f42
SelectedPresentations
 
PDF
D017131318
IOSR Journals
 
PDF
Security Issues in Next Generation IP and Migration Networks
IOSR Journals
 
PPT
Ipv6
maha5960
 
PPTX
Basic of IPv6
Jubin Aghara
 
PDF
Look at ipv6 security advantages over ipv4
Alexander Decker
 
PDF
IPV6 - Threats and Countermeasures / Crash Course
Thierry Zoller
 
PDF
IPv6
Amir Reza Hashemi
 
PDF
IPv6 Fundamentals
Matt Bynum
 
PPT
Day 20.i pv6 lab
CYBERINTELLIGENTS
 
PDF
fgont-h2hc-2020-ipv6-security.pdf
FernandoGont
 
PDF
10 fn s05
Scott Foster
 
PDF
10 fn s05
Scott Foster
 
ODP
IPv6 Overview
Raghu Udiyar
 
PDF
Fedv6tf-fhs
Tim Martin
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
EdgeUno
 
ipv6 very very very very vvoverview.pptx
eyala75
 
ipv6_cheat_sheet.pdf
pradeeppotter
 
IPv6 networking training sduffy v3
Shane Duffy
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
Bangladesh Network Operators Group
 
Tech f42
SelectedPresentations
 
D017131318
IOSR Journals
 
Security Issues in Next Generation IP and Migration Networks
IOSR Journals
 
Ipv6
maha5960
 
Basic of IPv6
Jubin Aghara
 
Look at ipv6 security advantages over ipv4
Alexander Decker
 
IPV6 - Threats and Countermeasures / Crash Course
Thierry Zoller
 
IPv6
Amir Reza Hashemi
 
IPv6 Fundamentals
Matt Bynum
 
Day 20.i pv6 lab
CYBERINTELLIGENTS
 
fgont-h2hc-2020-ipv6-security.pdf
FernandoGont
 
10 fn s05
Scott Foster
 
10 fn s05
Scott Foster
 
IPv6 Overview
Raghu Udiyar
 
Fedv6tf-fhs
Tim Martin
 

More from Siena Perry (11)

PDF
APNIC Hackathon Poke Prefix
Siena Perry
 
PPTX
APNIC Hackathon Tunnel Vision
Siena Perry
 
PDF
APNIC Hackathon The Lord of IPv6
Siena Perry
 
PPTX
APNIC Hackathon CDN Ranking
Siena Perry
 
PPTX
APNIC APIX Industry Benchmarking
Siena Perry
 
PDF
DNSSEC Measurement APTLD 71
Siena Perry
 
PPTX
Y4 it 2016- Hermoso
Siena Perry
 
PDF
Introduction to RPKI - MyNOG
Siena Perry
 
PDF
IPv6 Update
Siena Perry
 
PPTX
APNIC Policy Webinar
Siena Perry
 
PDF
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Siena Perry
 
APNIC Hackathon Poke Prefix
Siena Perry
 
APNIC Hackathon Tunnel Vision
Siena Perry
 
APNIC Hackathon The Lord of IPv6
Siena Perry
 
APNIC Hackathon CDN Ranking
Siena Perry
 
APNIC APIX Industry Benchmarking
Siena Perry
 
DNSSEC Measurement APTLD 71
Siena Perry
 
Y4 it 2016- Hermoso
Siena Perry
 
Introduction to RPKI - MyNOG
Siena Perry
 
IPv6 Update
Siena Perry
 
APNIC Policy Webinar
Siena Perry
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Siena Perry
 

Recently uploaded (20)

PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 

APNIC Hackathon IPv4 & IPv6 security & threat comparisons

  • 1. Presentation on IPV4 VS IPV6 SECURITY AND THREAT COMPARISONS
  • 2. Group Name • Konda Reddy • Suman KC • Farha Diba • Bikram Shrestha • Rajwinder kaur
  • 3. IPv6 Address Representation  128 bits.  Represented by 8 colon-separated segments.  Each 16-bit segment written in hexadecimal. EXAMPLE: 3ffe:3700:1100:0001:d9e6:0b9d:14c6:45ee
  • 4. IPv6 Address Compaction Leading zeroes in a 16-bit segment can be compacted Example: fe80:0210:1100:0006:0030:a4ff:000c:0097 Becomes: fe80:210:1100:6:30:a4ff:c:97
  • 5. IPv6 Address Compaction All zeroes in one or more contiguous 16-bit segments can be represented with a double colon (::) Example: ff02:0000:0000:0000:0000:0000:0000:0001 Becomes: ff02::1 But…
  • 6. IPv6 Address Compaction Double colons can only be used once Example: 2001:0000:0000:0013:0000:0000:0b0c:3701 Can be: 2001::13:0:0:b0c:3701 Or: 2001:0:0:13::b0c:3701 But not: 2001::13::b0c:3701
  • 7. IPv6 Address Types Unicast  Identifies a single interface  Packet sent to a unicast address is delivered to the interface identified by that address Multicast  Identifies a set of interfaces  Packet sent to a multicast address is delivered to all interfaces identified by that address Anycast  Identifies a set of interfaces  Packet sent to an anycast address is delivered to the nearest interface identified by that address (as defined by the routing protocol) IPv6 has no broadcast addresses  IPv6 uses "all-nodes" multicast instead (ff01:0:0:0:0:0:1)
  • 8. Interface ID  Unique to the link  Identifies interface on a specific link  Can be automatically derived - IEEE addresses use MAC-to-EUI-64 conversion - Other addresses use other automatic means  Can be used to form link-local address  Can be used to form global address with stateless autoconfiguration
  • 9. MAC-to-EUI-64 Conversion  First three octets of MAC becomes Company-ID  Last three octets of MAC becomes Node-ID  0xfffe inserted between Company-ID and Node-ID  Universal/Local-Bit (U/L-bit) is set to 1 for global scope
  • 10. MAC-to-EUI-64 Conversion Example  MAC Address: 0000:0b0a:2d51  In binary:  00000000 00000000 00001011 00001010 00101101 01010001  Insert fffe between Company-ID and Node-ID  00000000 00000000 00001011 11111111 11111110 00001010 00101101 01010001  Set U/L bit to 1  00000010 00000000 00001011 11111111 11111110 00001010 00101101 01010001  Resulting EUI-64 Address: 0200:0bff:fe0a:2d51
  • 11. Using the EUI-64 Interface ID EUI-64 Address: 200:bff:fe0a:2d51 Link-Local Address: fe80::200:bff:fe0a:2d51 Global Unicast Address: 3ffe:3700:1100:1:200:bff:fe0a:2d51
  • 12. IPv4 vs. IPv6 Header Formats
  • 13. How IPV6 process start from Host  When a host joins the network, it sends an ICMPv6 Neighbor Solicitation (NS) packet to perform Duplicate Address Detection (DAD) for its link-local address.  After the host determines its link-local address is safe to use, it then sends an ICMPv6 Type 133 Router Solicitation (RS) message to attempt to learn details about the network from the local router.  Upon receiving this RS, the router sends out an ICMPv6 type 134 Router Advertisement (RA) message so that the requesting host, and all others on that LAN segment, will have information about the LAN and how they should go about obtaining their global unicast address.  The router also periodically sends out the RA messages, typically every 200 seconds, to make sure all the nodes on the LAN have the current information about the local IPv6 prefix
  • 14. How RA works / disable RA  The ICMPv6 Router Advertisement (RA) that the router sends to the IPv6 all-nodes link-local multicast group address (FF02::1) will be received and processed by all the nodes on the LAN. The RA contains a variety of valuable information within it, in addition to guidance to the nodes on the LAN about how they will obtain their IPv6 address. The RA contains several bits that tell the node how it should behave:  Address Auto configuration Flag (A flag) indicates if stateless auto-configuration (SLAAC) should be used.  On-Link Flag (L flag) indicates that the prefix is “on-link” and local to this network.  Managed Address Configuration Flag (M flag) indicates that the nodes should use DHCPv6 to determine their interface identifier.  Other Stateful Configuration Flag (O flag) indicates that other information is available to help the node (e.g. DNS server information).
  • 15. PATHMTU  IPv6 defines a standard mechanism called path MTU discovery that a source node can use to learn the path MTU of a path that a packet is likely to traverse. If any of the packets sent on that path are too large to be forwarded by a node along the path, that node discards the packet and returns an ICMPv6 Packet Too Big message. The source node can then adjust the MTU size to be smaller than that of the node that dropped it and sent the ICMPv6 message, and then retransmit the packet. A source node might receive Packet Too Big messages repeatedly until its packet traverses all nodes along the path successfully.  Initially, the PMTU value for a path is assumed to be the (known) MTU of the first-hop link. When a Packet Too Big message is received, the node determines which path the message applies to based on the contents of the Packet Too Big message. For example, if the destination address is used as the local representation of a path, the destination address from the original packet would be used to determine which path the message applies to  NOTE: Routing header determine the location of the destination address within the original packet.
  • 16. Typical IPv6 Security Issues Almost identical to IPv4 security issues • First-hop protocol vulnerabilities • Denial-of-Service attacks • User authentication and authorization • Eavesdropping, session hijacking, DNS spoofing • Routing security  Dual stack exposures.(If enabled IPV6 but missed to enforce polices/firewall filters)
  • 17. IPV6 similarities with IPV4 The majority of vulnerabilities on the Internet today are at the application layer, even ipsec will do nothing to prevent. Rogue devices will be as easy to insert into an IPv6 network as in IPv4 Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4 Flooding attacks are identical between IPv4 and IPv6 IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
  • 18. Reconnaissance  Default subnets in IPv6 have 2 power 64 addresses ie., 10 Mpps  Today there is no known ping sweep tool for IPv6. Nmap, which supports ping sweeping in v4, elected not to support it in IPv6, most likely for some reasons.  Mostly importantly, public servers needs to be dns reachable.  scanning-based attacks will effectively fail. This protection exists if the attacker has no direct access to the specific subnet and therefore is trying to scan it remotely. If an attacker has local access, then he could use Neighbor Discovery (ND) and ping6 to the link-scope multicast ff02::1 to detect the IEEE-based address of local neighbors, then apply the global prefix to those to simplify its search (of course, a locally connected attacker has many scanning options with IPv4 as well).  By compromising hosts in a network, an attacker can learn new addresses to scan  Transition techniques (see further) derive IPv6 address from IPv4 address
  • 19. More on reconnaissance  The first category of attack is reconnaissance, which also is generally the first attack executed by an adversary. In this attack the adversary attempts to learn as much as possible about the victim network. This includes both active network methods such as scanning as well as more passive data mining such as through search engines or public documents.  Ping sweeps, port scans, Application and vulnerability scans; Some tools such as Nmap can perform elements of all these scan types at the same time.
  • 20. FHS: First Hop Security  RA guard use-case  IPv6 device tracking  IPv6 snooping logging  IPv6 source guard  IPv6 snooping  PortACL blocks all ICMPv6 RA from hosts  Fake DHCPv6 Replies  Selectively filter ICMP  Disable RH0 .
  • 21. RA Guard RA Guard is a feature that allows the operator of a Layer 2 switch to predetermine which switch ports are actually router facing. RA guard can also validate the source of the RA, the prefix list, the preference and any other information carried within it. It can validate the cryptographic credentials when provided (as defined in Secure Neighbor Discovery specification, i.e. SeND) to provide nodes that don’t support SeND with a level of security equivalent to those that do support it. How it help with rogue DHCP :permit RAs only if they have the M and O bits set, and enforce that the subsequent DHCP advertised prefix is within the company's range. Enable logging on the network device for auditing
  • 22. IPv6 snooping  RA guard / DHCP guard  IPv6 address gleaning  IPv6 ND inspection IPv6 snooping included the guard functions, if you enable IPv6 snooping, you do not need to explicitly configure RA guard / DHCP guard on the same port.  IPv6 address gleaning  Address gleaning learns the IPv6 addresses of devices connected to that link and is a prerequisite for more advanced FHS features like Source-Guard. The learning is done by examining information in the ND and DHCPv6 packets, (in particular the addresses carried in them). However, by default the DHCPv6 server messages are dropped - so in order to glean from DHCPv6 messages the guard policy must be applied on the port connecting the valid DHCPv6 server, that allows the DHCPv6 messages.  The FHS code learns the addresses and installs them into the binding table. Each entry contains the source the address was learned from, the address itself, the MAC address, interface, vlan, priority level, age, state and time left.  IPv6 ND inspection  ND inspection verifies the sanity of the ND messages that pass through the device. It can also enforce limits on the number of the addresses per port. This feature enforces the ND process by ensuring that all parties are stepping through all the correct steps in the ND process. The ND inspection process builds the neighbor binding table.
  • 23. Fake RA Messages  • Traffic interception • DNS IPv6 address injection (DNS interception) • Denial-of-service attack(bogusprefixes)
  • 24. Fake DHCPv6 Replies  Intruder responds to DHCPv6 requests • DNS IPv6 addressinjection • Denial-of-service attack Solution should be enabling :DHCPv6 guard
  • 25. Fake Neighbor Advertisement Messages Intruder responds to ICMPv6 Neighbor Solicitation requests • Trafficinterception • Denial-of-serviceattack  Enable DHCPv6 snooping, ND inspection, SEND
  • 26. ARP spoofing (V4) = NDP spoofing(V6) Dynamic ARP inspection for IPv6 is available Secure Neighbor Discovery (Cryptographic NDP); IPv6 addresses whose interface identifiers are cryptographically generated. Prevent replay attacks by timestamp and nonce options. IPV6 supports all the features Dot1x,private Vlan ,port security
  • 27. Attacks(Continuation)  Remote Neighbor Discovery Attacks  How to prevent: Tight ingress ACLs(check the forwarding path order-of- operation)  Control-plane policing(CoPP)  ND cache limits (globally and per-box)  Prefixes longer than /64 (extreme measure, use with care)
  • 28. DAD Attacks  Effectively disables SLAAC  Might interfere with DHCPv6-based address assignment.  IPv6 Extension Headers All networking gear should drop packets with RH0 by default • Firewalls and ACLs should be able to filter on extension headers Firewalls should limit the number of extension headers • Firewalls/ACLs should be able to drop fragmented headers
  • 29. More on RH0  The IPv6 Type 0 Routing header is similar in function to the Loose Source and Record Route IP options. The IPv6 Routing header is identified by a Next Header (NH) value of 43 in the immediately preceding header.  Attackers can maliciously use IPv6 Type 0 Routing headers to bypass packet filters (IPv6 access-list policies) or anycast addressing and routing. These headers can also be used to perform reflected denial of service (DoS) attacks, spoofing, double spoofing, and amplification attacks (ping-pong attacks that can cause link saturation and potential performance issues through added CPU processing).
  • 30. Routing Security with IPv6  Challenges and solutions almost identical to IPv4: • Don’t run routing protocols on customer-facing interfaces • Use IPsec with OSPFv3 • Use MD5 authentication with other routing protocols  best practices:  • Network Ingress Filtering (BCP38) for IPv4 and IPv6 • TTL security (BGP) • Route filters in distance- and path vector protocols
  • 31. Challenge in implementing V6 in DMZ’s  Normally, servers connected to a network device on single NIC or bond(ACTIVE/STANDBY,ACTIVE/ACTIVE)  Switch connected port might be a access vlan or trunk vlan.  If it is access port , then Tag host interface with new external vlan for V6 communication. TASKS: 1. Configure external vlan on firewall 2. Need to tag new vlan to respective switch and change host port config to trunk 3. configure servers port as trunk and test connectivity. Advantages:  No physical movement of host  Logical configuration  Sysops and Network need to work together to test connectivity  Unblock IPv6 implementation to faster rollout